Page tree
Skip to end of metadata
Go to start of metadata

Article State

Approved

Article Number

KB-20171220205647

Product

Fortigate Firewall FGT 90D, Version v5.4.5,build1138 (GA)
SummaryHow to restart ips daemon intrusion prevention system engine

Language

EN

DE

Issue

High / heavy: load, memory, cpu, conserved mode

Unspecific malfunction, security issue

Cause

Bad performance, bad security, fortigate entered conserved mode

Solution

  1. Restart / watch fortigate ipsmonitor
    1. Connect fortigate via SSH or use Web CLI
    2. Enter the command = diagnose test application ipsmonitor

      1. Display IPS engine information

        You'll get that output
        Firewall # diagnose test application ipsmonitor
        
        IPS Engine Test Usage:
        
            1: Display IPS engine information
            2: Toggle IPS engine enable/disable status
            3: Display restart log
            4: Clear restart log
            5: Toggle bypass status
            6: Submit attack characteristics now
           10: IPS queue length
           11: Clear IPS queue length
           12: IPS L7 socket statistics
           13: IPS session list
           14: IPS NTurbo statistics
           15: IPSA statistics
           16: Display device identification cache
           17: Clear device identification cache
           21: Reload FSA malicious URL database
           22: Reload whitelist URL database
           24: Display Flow AV statistics
           25: Reset Flow AV statistics
           96: Toggle IPS engines watchdog timer
           97: Start all IPS engines
           98: Stop all IPS engines
           99: Restart all IPS engines and monitor
        
        Firewall #
    3. Check restart log / ipsengine exit log
      1. Frequent restarts can lead to packet losses

        Firewall # diagnose test application ipsmonitor 3
        
        ipsengine exit log:
            pid = 23044(master), duration = 31 (s) at Tue Jan  2 16:22:59 2017
                code = 11, reason: manual
            pid = 23090(master), duration = 88 (s) at Tue Jan  2 16:24:27 2017
                code = 11, reason: manual
            pid = 23212(master), duration = 689 (s) at Tue Jan  2 16:35:56 2017
                code = 11, reason: manual
            pid = 24205(master), duration = 73 (s) at Tue Jan  2 16:37:09 2017
                code = 11, reason: manual
            pid = 24311(master), duration = 31 (s) at Tue Jan  2 16:37:40 2017
                code = 11, reason: manual
            pid = 24357(master), duration = 378 (s) at Tue Jan  2 16:43:58 2017
                code = 11, reason: manual
            pid = 24905(master), duration = 36 (s) at Tue Jan  2 16:44:34 2017
                code = 11, reason: manual
            pid = 24957(master), duration = 628 (s) at Tue Jan  2 16:55:02 2017
                code = 11, reason: manual
            pid = 25867(master), duration = 336 (s) at Tue Jan  2 17:00:38 2017
                code = 11, reason: manual
            pid = 26363(master), duration = 184 (s) at Tue Jan  2 17:03:42 2017
                code = 11, reason: manual
            pid = 26632(master), duration = 829 (s) at Tue Jan  2 17:17:31 2017
                code = 11, reason: manual
            pid = 27833(master), duration = 70 (s) at Tue Jan  2 17:18:41 2017
                code = 11, reason: manual
            pid = 27937(master), duration = 1876 (s) at Tue Jan  2 17:49:57 2017
                code = 11, reason: manual
            pid = 30652(master), duration = 32 (s) at Tue Jan  2 17:50:29 2018
                code = 11, reason: manual
            pid = 30698(master), duration = 493 (s) at Tue Jan  2 17:58:42 2018
                code = 11, reason: manual
            pid = 31426(master), duration = 370 (s) at Tue Jan  2 18:04:52 2018
                code = 11, reason: manual
            pid = 31968(master), duration = 58 (s) at Tue Jan  2 18:05:50 2018
                code = 11, reason: manual
            pid = 32053(master), duration = 4483 (s) at Tue Jan  2 19:20:33 2018
                code = 11, reason: manual
            pid = 6099(master), duration = 6998 (s) at Tue Jan  2 21:17:11 2018
                code = 11, reason: manual
        
        
        
    4. Check conserve mode tresholds
      1. Firewall # diagnose hardware sysinfo conserve
        memory conserve mode: off
        total RAM:                           1839 MB
        memory used:                          704 MB   38% of total RAM
        memory used threshold extreme:       1747 MB   95% of total RAM
        memory used threshold red:           1618 MB   88% of total RAM
        memory used threshold green:         1508 MB   82% of total RAM
        
        Firewall #
        
        
        
    5. Restart all IPS engines and monitor


      1. Firewall # diagnose test application ipsmonitor 99
        restarting ipsmonitor
        
        
        
    6. Check ips engine uptime

      1. Firewall # diagnose test application ipsmonitor 1
        pid = 2433, engine count =  2
        0 - pid:2437:2437 cfg:1 master:0 run:1
        1 - pid:2441:2441 cfg:0 master:1 run:1
        
        pid:         2441 index:1 master
        version:     05004000FLEN02200-00003.00430-1708222014
        up time:     0 days 0 hours 1 minutes
        init time:   1 seconds
        socket size: 32(MB)
        database:    regular
        bypass:      disable
        
        Firewall #
        
        
        





Workaround

Notes